Total
296693 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000553 | 1 Trovebox | 1 Trovebox | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Trovebox version <= 4.0.0-rc6 contains a Server-Side request forgery vulnerability in webhook component that can result in read or update internal resources. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed. | |||||
| CVE-2018-1000552 | 1 Trovebox | 1 Trovebox | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Trovebox version <= 4.0.0-rc6 contains a SQL Injection vulnerability in album component that can result in SQL code injection. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed. | |||||
| CVE-2018-1000551 | 1 Trovebox | 1 Trovebox | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Trovebox version <= 4.0.0-rc6 contains a PHP Type juggling vulnerability in album view component that can result in Authentication bypass. This attack appear to be exploitable via HTTP Request. This vulnerability appears to have been fixed in after commit 742b8edbe. | |||||
| CVE-2018-1000550 | 2 Debian, Sympa | 2 Debian Linux, Sympa | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Sympa Community Sympa version prior to version 6.2.32 contains a Directory Traversal vulnerability in wwsympa.fcgi template editing function that can result in Possibility to create or modify files on the server filesystem. This attack appear to be exploitable via HTTP GET/POST request. This vulnerability appears to have been fixed in 6.2.32. | |||||
| CVE-2018-1000549 | 1 Wekan Project | 1 Wekan | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to obtain valid usernames and email addresses.. This attack appear to be exploitable via HTTP Request. | |||||
| CVE-2018-1000548 | 1 Umlet | 1 Umlet | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Umlet version < 14.3 contains a XML External Entity (XXE) vulnerability in File parsing that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted UXF file. This vulnerability appears to have been fixed in 14.3. | |||||
| CVE-2018-1000547 | 1 Corebos | 1 Corebos | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| coreBOS version 7.0 and earlier contains a Incorrect Access Control vulnerability in Module: Contacts that can result in The error allows you to access records that you have no permissions to. . | |||||
| CVE-2018-1000546 | 1 Triplea-game | 1 Triplea | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Triplea version <= 1.9.0.0.10291 contains a XML External Entity (XXE) vulnerability in Importing game data that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted game data file (XML). | |||||
| CVE-2018-1000544 | 3 Debian, Redhat, Rubyzip Project | 3 Debian Linux, Cloudforms, Rubyzip | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem.. | |||||
| CVE-2018-1000543 | 1 Rockiger | 1 Akiee | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Akiee version 0.0.3 contains a XSS leading to code execution due to the use of node integration vulnerability in "Details" of a task is not validated that can result in XSS leading to abritrary code execution. This attack appear to be exploitable via The attacker tricks the victim into opening a crafted markdown. | |||||
| CVE-2018-1000542 | 1 Netbeans-mmd-plugin Project | 1 Netbeans-mmd-plugin | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| netbeans-mmd-plugin version <= 1.4.3 contains a XML External Entity (XXE) vulnerability in MMD file import that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted MMD file. | |||||
| CVE-2018-1000540 | 1 Loboevolution Project | 1 Loboevolution | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| LoboEvolution version < 9b75694cedfa4825d4a2330abf2719d470c654cd contains a XML External Entity (XXE) vulnerability in XML Parsing when viewing the XML file in the browser that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted XML file. | |||||
| CVE-2018-1000539 | 1 Json-jwt Project | 1 Json-jwt | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 1.9.4 and later. | |||||
| CVE-2018-1000538 | 1 Minio | 1 Minio | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests with large bodies . This vulnerability appears to have been fixed in after commit 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7. | |||||
| CVE-2018-1000537 | 1 Marlinfw | 1 Marlin Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Marlin Firmware Marlin version 1.1.x and earlier contains a Buffer Overflow vulnerability in cardreader.cpp (Depending on branch/version) that can result in Arbitrary code execution. This attack appear to be exploitable via Crafted G-Code instruction/file is sent to the printer. | |||||
| CVE-2018-1000536 | 1 Getmedis | 1 Medis | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Medis version 0.6.1 and earlier contains a XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process vulnerability in Key name parameter on new key creation that can result in Unauthorized code execution in the victim's machine, within the rights of the running application. This attack appear to be exploitable via Victim is synchronizing data from the redis server which contains malicious key value. | |||||
| CVE-2018-1000535 | 1 Lms | 1 Lms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| lms version <= LMS_011123 contains a Local File Disclosure vulnerability in File reading functionality in LMS module that can result in Possible to read files on the server. This attack appear to be exploitable via GET parameter. This vulnerability appears to have been fixed in after commit 254765e. | |||||
| CVE-2018-1000534 | 1 Joplin Project | 1 Joplin | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf9f4d4fcdcfcf89 that can result in executing unauthorized code within the rights in which the application is running. This attack appear to be exploitable via Victim synchronizing notes from the cloud services or other note-keeping services which contain malicious code. This vulnerability appears to have been fixed in 1.0.90 and later. | |||||
| CVE-2018-1000533 | 1 Gitlist | 1 Gitlist | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| klaussilveira GitList version <= 0.6 contains a Passing incorrectly sanitized input to system function vulnerability in `searchTree` function that can result in Execute any code as PHP user. This attack appear to be exploitable via Send POST request using search form. This vulnerability appears to have been fixed in 0.7 after commit 87b8c26b023c3fc37f0796b14bb13710f397b322. | |||||
| CVE-2018-1000532 | 1 Beep Project | 1 Beep | 2024-11-21 | 1.9 LOW | 4.7 MEDIUM |
| beep version 1.3 and up contains a External Control of File Name or Path vulnerability in --device option that can result in Local unprivileged user can inhibit execution of arbitrary programs by other users, allowing DoS. This attack appear to be exploitable via The system must allow local users to run beep. | |||||